Elliptic Curve Cryptography (ECC) in SSL Certificates

Friday, December 4, 2015

As you look to understand the types of cryptography used in encryption, the term ‘Elliptic Curve Cryptography’ (ECC) may appear, sounding mathematically challenging and complex. However, if looked simply, this term can be broken down into two parts for better understanding, and will be explained further below.

A use case of ECC algorithm is SSL/TLS certificates and ECC-based SSL certificates may be specifically requested for Microsoft and Apache servers – with the aim of increasing encryption security and to better optimize server memory.

Breaking Down Elliptic Curve Cryptography

1. Elliptic Curve

In mathematics, an elliptic curve is a graph that displays no self-intersections, and on the curve itself, no origin is specified. The equation behind Elliptic Curve is flexible and can be used across real numbers, complex numbers, rational numbers and over general or finite fields.

Because of this unique characteristic, two researchers, Neal Koblitz and Victor S. Miller proposed the idea of Elliptic Curve over finite fields for use in cryptography in 1985.

2. Cryptography

Cryptography, on the other hand, is a modern day form of encryption in computing that translates plaintext into ciphertext. There are two types of keys used: (1) symmetric-key (2) asymmetric-key for encrypting and decrypting.

Symmetric-key Cryptography

Symmetric-key cryptography uses the same public key to encrypt and decrypt messages.

Asymmetric-key Cryptography

Asymmetric-key cryptography conversely uses a public-private key exchange. This means that the holder of the private key sends a public key to a sender to encrypt the message. The holder of the private key can then decrypt messages using the private key he owns.

ECC algorithm falls under asymmetric key systems

Piecing Together: Elliptic Curve Cryptography (ECC)

ECC falls under asymmetric systems and is an alternative to RSA (Rivest-Shamir-Adleman) algorithm, commonly used in websites, IC cards and bitcoins as an encryption algorithm.

A generic mechanism of ECC is illustrated below:

1.Person A and Person B decide and fixed the point “P” on the elliptic curve together when they want to share the key.2.They randomly decide the secret numbers “a” and “b” respectively and then Person A passes “aP” to Person B and Person B passes Person A “bP.”3.Person A multiplies “bP” by “a” (a(bP)=abP) and Person B multiplies “aP” by “b” (b(aP)=baP).4.“abP” equals “baP” on the elliptic curve, so they can share this numerical values secretly. By using this numerical value as the private key in the common key cryptography, the message is encrypted.

ECC key has both benefits and concerns. The size of ECC key is small, so it improves the data transmission speed and requires less CPU and memory. And also, ECC key is more secure than RSA key even though the size of the ECC key is smaller than that of the RSA key. For example, a 256-bit ECC key is equivalent to a 3,072-bit RSA key and a 521-bit ECC key is equivalent to a 15,360 RSA key.

On the other hand, not all browsers and servers are interoperable with the ECC-based SSL certificates, so users should deliberate on the implementation of the ECC-based certificates in advance.

Knowing your objectives for the use of SSL certificates is important. If the sole purpose is for use on the back-end with Microsoft or Apache servers, then an ECC-based SSL certificate may be suitable. But if it’s for use with general visitors, ECC-based SSL certificate may otherwise, not be recommended.